HIPAA Policy Templates for Covered Entities



Make Selection(s)


  • Model: Pce501


A Complete Set of 56 HIPAA Policy Templates for Covered Entities,  All New and Fully Updated for the HIPAA Final Rule.

Updated with the latest "Omnibus" Final Rule requirements, these editable Policy Templates are ready to be customized for your individual needs. Fifty-six templates are included, covering every area required by HIPAA and more. From the experts at HIPAA Group, this template collection allows Covered Entities to meet their compliance obligations with a minimum of hassle and expense.

A complete set of Policies and Procedures is mandatory for HIPAA compliance. If you are ever investigated or charged with a HIPAA violation, your Polices and Procedures are typically the first thing investigators want to see. Make sure you are ready!

This product includes...

  • Fifty-six (56) ready-to-edit Policy Templates.
  • A complete instruction and editing guide.
  • A helpful NOTES section with every Policy Template, with the text of the HIPAA Regulation that applies to that policy; extras like OCR and CMS Guidance; and tips from the experts at HIPAA Group.
  • An optional "Mobile Device Policy" Template, not mandated by HIPAA, but highly requested by customers.

Policy Templates are all in Microsoft Word format, and require editing before use. Add your own specific procedures to align policies with your unique business operations and priorities.

This product contains the following Policy Templates...

1 General HIPAA
Compliance Policy
HITECH 13401
Covered Entities and Business Associates, as defined in HIPAA and HITECH, must comply with all required parts and subparts of the regulations that apply to each type of Entity.
2 Policies & Procedures
General Requirement
164.306; 164.316
Implement reasonable and appropriate P&Ps to comply with all standards, implementation specifications, or other requirements. P&P changes must be appropriately documented.
3 Documentation Policy


Maintain all P&Ps in written (may be electronic) form. If an action, activity or assessment must be documented, maintain written (may be electronic) records of all.
4 Documentation
Retention Policy

Retain all required documentation for 6 years from the date of its creation or the date when it last was in effect, whichever is later.
5 Documentation Availability Policy
Make documentation available to those persons responsible for implementing the Policies and/or Procedures to which the documentation pertains.
6 Documentation Updates Policy
Review documentation periodically and update as needed, in response to environmental or operational changes affecting the security of PHI.
7 HHS Investigations Policy 160.308
CEs and BAs must implement policies & procedures to assure compliance with HHS investigation & recordkeeping requirements.
8 Breach Notification Policy 164.400 to
Requires CEs and BAs to comply with all Breach Notification requirements: risk analysis; determination of potential harm; notifications.
9 Assign Privacy Official Policy 164.530(a) CEs and BA must assign an individual for all Privacy-related activities and compliance efforts; and to accept and process complaints.
10 State Law Preemption Policy 160.201 to
CEs and BAs must analyze and assess state law requirements related to data privacy & security; and HIPAA preemption impacts of state laws.
11 HIPAA Training Policy 164.530(b) CEs and BAs must train all affected workforce members on their Policies & Procedures, as well as the basics of HIPAA, as needed.
12 PHI Uses & Disclosures Policy 164.502 to
CEs and BAs must establish methods and procedures to assure that all PHI uses & disclosures are in accord with HIPAA regs.
13 Patient Rights Policy 164.520 to
CEs (and BAs optionally) must implement policies & procedures to assure the lawful provision of Patient Rights as called for in HIPAA regs.
14 Complaints Policy 164.530(d)
CEs and BAs must establish methods and procedures to assure the proper handling of, and response to, all complaints received.
15 Risk Management
Process Policy

164.302 to
Establishes the overall Risk Management process that CEs and BAs must implement to meet Privacy & Security Rule compliance requirements.
16 Risk Analysis
Required Standard
164.308(a)(1) Conduct assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity.
17 Risk Management
Required Standard
164.308(a)(1) Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Sec. 164.306(a).
18 Sanction Policy
Required Standard
164.308(a)(1) Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.
19 Information System
Activity Review

Required Standard
164.308(a)(1) Implement procedures to regularly review information system activity: audit logs; access reports; and security incident reports; etc.
20 Assigned Security

Required Standard
164.308(a)(2) Assign security responsibility. Identify Security Official responsible for development and implementation of required P&Ps.
21 Authorization & Supervision Policy
Addressable Standard
164.308(a)(3) Implement procedures for authorization and/or supervision of workers who work with ePHI or in locations where it might be accessed.
22 Workforce Clearance

Addressable Standard
164.308(a)(3) Implement procedures to determine that the access of a workforce member to ePHI is appropriate.
23 Termination Policy
Addressable Standard
164.308(a)(3) Implement procedures for terminating access to ePHI when the employment ends or as required by (a)(3)(ii)(B) of this section.
24 Access Authorization
Addressable Standard
164.308(a)(4) Implement policies and procedures for granting access to ePHI, for workstations, transactions, programs, processes, or other mechanisms.
25 Access Establishment
and Modification

Addressable Standard
164.308(a)(4) Implement P&Ps, based on Access Authorization policies, to establish, document, review, and modify user's rights of access to workstations, transactions, programs, or processes.
26 Security Reminders
Addressable Standard
164.308(a)(5) Implement periodic reminders of security and information safety best practices.
27 Protection from
Malicious Software

Addressable Standard
164.308(a)(5) Implement Procedures for guarding against, detecting, and reporting malicious software.
28 Log-in Monitoring
Addressable Standard
164.308(a)(5) Implement Procedures for monitoring and reporting log-in attempts and discrepancies.
29 Password Management
Addressable Standard
164.308(a)(5) Implement Procedures for creating, changing, and safeguarding appropriate passwords.
30 Security Incident Policy
Required Standard
164.400 to
Identify and respond to suspected or known security incidents. Mitigate harmful effects. Document security incidents and their outcomes.
31 Data Backup Policy
Required Standard
164.308(a)(7) Establish and implement procedures to create and maintain retrievable, exact copies of ePHI during unexpected negative events.
32 Disaster Recovery Policy
Required Standard
164.308(a)(7) Establish (and implement as needed) procedures to restore any loss of data.
33 Emergency Mode
Operation Policy

Required Standard
164.308(a)(7) Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of ePHI while operating in emergency mode.
34 Testing and Revision

Addressable Standard
164.308(a)(7) Implement procedures for periodic testing and revision of contingency and emergency plans.
35 Applications and Data
Criticality Analysis

Addressable Standard
164.308(a)(7) Assess the relative criticality of specific applications and data in support of other contingency plan components.
36 Evaluation Policy
Required Standard
164.308(a)(8) Perform periodic technical & nontechnical evaluations, to establish how well security P&Ps meet the requirements of this subpart.
37 Business Associates Policy
Required Standard
CE’s must obtain, and BA’s must provide, written satisfactory assurances that all ePHI and PHI will be appropriately safeguarded.
38 Contingency Operations Policy
Addressable Standard
164.310(a)(1-2) Establish (and implement as needed) procedures that allow facility access to support restoration of lost data in the event of an emergency.
39 Facility Security Policy
Addressable Standard
164.310(a)(1-2) Implement P&P’s to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
40 Access Control and
Validation Policy

Addressable Standard
164.310(a)(1-2) Implement procedures to control and validate individual access to facilities based on role or function; including visitor control, and access control for software testing and revision.
41 Maintenance Records
Addressable Standard
164.310(a)(1-2) Implement P&Ps to document repairs and changes to physical elements of a facility related to security (hardware, walls, doors, locks, etc.).
42 Workstation Use
Required Standard
164.310(b-c) Implement P&Ps that specify the proper functions, procedures, and appropriate environments of workstations that access ePHI.
43 Workstation Security
Required Standard
164.310(b-c) Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users.
44 Media Disposal & Disposition
Required Standard
164.310(d)(1-2) Implement P&Ps to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored.
45 Media Re-use
Required Standard
164.310(d)(1-2) Implement procedures for removal of ePHI from electronic media before the media are made available for re-use.
46 Hardware & Media

Addressable Standard
164.310(d)(1-2) Maintain records of the movements of hardware and electronic media, and any person responsible therefore.
47 Data Backup and Storage
Addressable Standard
The Data Backup Plan defines what data is essential for continuity after damage or destruction of data, hardware, or software. Risk Analysis determines what to backup.
48 Unique User Identification
Required Standard
Assign a unique name and/or number for identifying and tracking user identity.
49 Emergency Access Policy
Required Standard
Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency.
50 Automatic Logoff
Addressable Standard
Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
51 Encryption and Decryption
Addressable Standard
164.312(a)(1-2) Implement an appropriate mechanism to encrypt and decrypt ePHI.
52 Audit Controls
Required Standard
164.312(b) Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
53 Integrity Controls Policy
Addressable Standard
164.312(c)(1-2) Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
54 Person or Entity

Required Standard
164.312(d) Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.
55 Transmission Security Policy
Addressable Standard
164.312(e)(1) Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.
56 Mobile Device Policy
Optional Policy
164.302-164.314 Governs the use in an entity of mobile devices that can access, use, transmit, or store ePHI.


Customers who bought this product also purchased...